"Sometimes I like to think of Symantec as an elephant," said Angela Tucci, Symantec’s chief strategy officer, over lunch at London’s Soho Hotel. "Depending on which side of the elephant you look at," she explained, "you get a completely different perspective of the creature."
Symantec is indeed a behemoth. With turnover of $6.1bn it is a tenth of the size of Microsoft by revenue.
Its products cover a bewildering range, from the Norton consumer anti-virus packages, to enterprise security, compliance and storage products, cloud, and mobile security software.
The company has grown up rapidly through a patchwork series of acquisitions – more than 30 between 1989 and 2005 alone – culminating in Verisign’s identity and authentication business in 2010.
Investing in continued growth
But after 30 years of growth, revenues have remained virtually static since 2008, leaving many wondering whether Symantec’s growth spurt is over.
Tucci disagreed, pointing to seismic forces that are affecting the whole IT industry – consumerisation of IT and the inevitable rise of cloud computing.
“Like all large companies, we are going through a portfolio shift, where our bigger investments in our core businesses are helping to fuel growth and future opportunities,” she said.
The company has identified three priority areas for future growth – cloud, mobile computing and virtualisation.
Tucci said there is a big opportunity for Symantec’s 03 single sign-on service, designed to help organisations secure both their private in-house clouds and public cloud services, such as Amazon or Salesforce.
Companies can use it to decide, for example, which employees can access which information, and whether they have rights to copy information from the cloud, or to send it to their own PCs.
“You can effectively set policy on the information itself, and there is an audit trail so that when IT has to report back, it is compliant, you can see who accessed what, when, and how that information is being used,” she said.
Other Symantec tools will help companies find information they store in the cloud, allowing them to keep track of files, record who has viewed them, and to set security policies for each file.
Symantec is also looking at ways to develop secure versions of services such as Drop Box, which allow people to transfer documents and files from one PC to another through the cloud.
“There is an opportunity to make Drop Box-like solutions better and safer than anyone else on the market,” Tucci revealed.
We need to make sure personal information is protected, and business information is protected, and that those two worlds do not intermingle
Angela Tucci, chief strategy officer, Symantec
Mobile security is the second leg of Symantec’s growth strategy. With more companies encouraging their employees to bring their own devices into work, Tucci believes it has huge potential.
“The reason mobility is such a hot topic is that the people who are really driving mobility are the board, the CEO, the C-level people,” she said.
Symantec CEO Enrique Salem, for example, was the first person to use an iPad in Symantec. He brought it into work and told his CIO he wanted to run it on the network. “That scenario is being repeated in every company,” said Tucci.
But as mobile technologies multiply, so do the risks. The number of mobile threats grew by 92% last year, according to Tucci.
“When you look at things like mobile payments, you will absolutely start to see more and more threats, because there will be people trying to get into those systems to steal money,” she said.
Symantec’s strategy is to create technology that will protect data rather than the device itself.
“Devices will come and go. What we need to be able to do is make sure personal information is protected, and business information is protected, and that those two worlds do not intermingle.”
The company has developed technology to allow companies to take data and web applications, put them in a wrapper, and then apply security policies to the wrapper, said Tucci.
“You can say things like the user can’t cut and paste a document, or put this application from the enterprise into Drop Box, or they can’t go and print it on their home printer," she said.
Symantec’s presence in both consumer and business security will come into its own as more companies adopt bring-your-own-device (BYOD) to work policies.
“I love having both [consumer and business] footprints, because when I go and talk to a CIO, I say, 'All your employees, last time I checked, are consumers, and most of your employees are trying to bring their own devices to work,” she said.
Tucci talks about a future in which businesses will integrate their corporate security systems with the Norton security software used on employees' home computers, ensuring that both are kept secure.
BYOD policies will be quickly followed by bring-your-own-app to work policies, she said – and that will create further opportunities for Symantec.
“Every time we download an app, we kind of put the company at risk,” she said. “Right now, we are living in a bit of a free-for-all in the app environment. I think people are going to see that as the next vulnerability.
Symantec has been running a trusted file service for some years. It is able to identify safe and dangerous files, and IP addresses on the internet, through a network of sensors in 200 countries.
The same technology could be used to check the safety of mobile apps in the future. “We are exploring some different models,” she said.
The third plank is virtualisation. Here Symantec is developing security tools that will allow organisations to manage security on virtual machines effectively.
For example, the technology will allow companies to perform a single security scan on a server when it is split up into virtual machines, rather than having to perform multiple scans.
“It is about being efficient in a virtualised environment so you are not adding extra load just by protecting the machine,” she said.
Other tools will help companies back up and recover virtualised files.
Virtualisation will the biggest revenue generator initially, but cloud, and then mobile security, are likely to take over, according to Tucci.
Acquisitions will continue, but Tucci is keen to play down their role in the company’s growth plans.
“One of the things we have done is told our history by acquisition, which is sometimes more of a marketing message than a reality,” she said.
That has tended to mask Symantec’s in-house innovation, Tucci added, but for a company with just over 20,000 employees, it did not do too badly in securing 282 patents last year.
“We will not stop acquiring companies, but the way that we message what we are doing internally and external acquisitions will be more appropriate to the reality of the business," she added.
Not every acquisition has been well received by critics. The company paid a huge $13.5bn for storage company Veritas in 2005, eclipsing Oracle’s $10.3bn acquisition of Peoplesoft in the same year.
Some commentators have questioned whether this was too high a price to pay, and, more importantly, whether it makes sense for a security company such as Symantec to move into storage at all.
But Tucci is unrepentant. Veritas has put Symantec firmly into the datacentre, she argued, and that is helping the company forge new relationships with CIOs of the world's top companies.
“When you can save a company a lot of money, and make them a lot more productive, that gets you that C-level conversation,” she said.
As a result, Symantec is able to sell more back-up, more archiving, and more cloud technology, said Tucci.
She is equally bullish about Symantec’s other big purchase, Verisign’s identity and authentication business, bought for $1.28bn in 2010.
“Identity is such a key element in protecting people and information because it is the linkage between the two,” she said.
Symantec is using Verisign’s technology, for instance to help companies locate and manage digital certificates, which may be spread anywhere across company networks.
Other acquisitions are likely to follow. Symantec is on the lookout for companies with mobile and cloud expertise, according to Tucci – companies that will “put tail wings at our back”.
In the meantime, Tucci is working hard to fix the company’s elephant-like image.
The firm is investing heavily on a rebranding programme with a clear message – Symantec as a company that protects information and people.
The centrepiece will be the iconic Verisign checkmark logo, which will feature both on Symantec’s online services and physical storage products.
“I think by making that association, we will make it easier for customers to understand who Symantec is, when to call us, and when they should expect to see us,” she said.